🎁 Get the FREE AI Skills Starter Guide β€” Subscribe β†’
BytesAgainBytesAgain
πŸ¦€ ClawHub

ggshield Secret Scanner

by @amascia-gg

Detect 500+ types of hardcoded secrets (API keys, credentials, tokens) before they leak into git. Wraps GitGuardian's ggshield CLI.

Versionv1.0.2
Downloads3,136
Installs6
TERMINAL
clawhub install ggshield-scanner

πŸ“– About This Skill


name: ggshield-scanner description: Detect 500+ types of hardcoded secrets (API keys, credentials, tokens) before they leak into git. Wraps GitGuardian's ggshield CLI. homepage: https://github.com/GitGuardian/ggshield-skill metadata: clawdbot: requires: bins: ["ggshield"] env: ["GITGUARDIAN_API_KEY"]

ggshield Secret Scanner

Overview

ggshield is a CLI tool that detects hardcoded secrets in your codebase. This Moltbot skill brings secret scanning capabilities to your AI agent.

What Are "Secrets"?

Secrets are sensitive credentials that should NEVER be committed to version control:

  • AWS Access Keys, GCP Service Accounts, Azure credentials
  • API tokens (GitHub, Slack, Stripe, etc.)
  • Database passwords and connection strings
  • Private encryption keys and certificates
  • OAuth tokens and refresh tokens
  • PayPal/Stripe API keys
  • Email server credentials
  • Why This Matters

    A single leaked secret can:

  • πŸ”“ Compromise your infrastructure
  • πŸ’Έ Incur massive cloud bills (attackers abuse your AWS account)
  • πŸ“Š Expose customer data (GDPR/CCPA violation)
  • 🚨 Trigger security incidents and audits
  • ggshield catches these before they reach your repository.

    Features

    Commands Available

    #### 1. scan-repo Scans an entire git repository for secrets (including history).

    @clawd scan-repo /path/to/my/project
    

    Output:

    πŸ” Scanning repository...
    βœ… Repository clean: 1,234 files scanned, 0 secrets found
    

    Output on detection:

    ❌ Found 2 secrets:

  • AWS Access Key ID in config/prod.py:42
  • Slack API token in .env.backup:8
  • Use 'ggshield secret ignore --last-found' to ignore, or remove them.

    #### 2. scan-file Scans a single file for secrets.

    @clawd scan-file /path/to/config.py
    

    #### 3. scan-staged Scans only staged git changes (useful pre-commit check).

    @clawd scan-staged
    

    This runs on your git add-ed changes only (fast!).

    #### 4. install-hooks Installs ggshield as a git pre-commit hook.

    @clawd install-hooks
    

    After this, every commit is automatically scanned:

    $ git commit -m "Add config"
    πŸ” Running ggshield pre-commit hook...
    ❌ Secrets detected! Commit blocked.
    Remove the secrets and try again.
    

    #### 5. scan-docker Scans Docker images for secrets in their layers.

    @clawd scan-docker my-app:latest
    

    Installation

    Prerequisites

    1. ggshield CLI: Install via pip

       pip install ggshield>=1.15.0
       

    2. GitGuardian API Key: Required for secret detection - Sign up: https://dashboard.gitguardian.com (free) - Generate API key in Settings - Set environment variable:

    export GITGUARDIAN_API_KEY="your-api-key-here"
    

    3. Python 3.8+: Required by ggshield

    Install Skill

    clawdhub install ggshield-scanner
    

    The skill is now available in your Moltbot workspace.

    In Your Moltbot Workspace

    Start a new Moltbot session to pick up the skill:

    moltbot start
    

    or via messaging: @clawd list-skills

    Usage Patterns

    Pattern 1: Before Pushing (Security Check)

    Dev: @clawd scan-repo .
    Moltbot: βœ… Repository clean. All good to push!

    Dev: git push

    Pattern 2: Audit Existing Repo

    Dev: @clawd scan-repo ~/my-old-project
    Moltbot: ❌ Found 5 secrets in history!
             - AWS keys in config/secrets.json
             - Database password in docker-compose.yml
             - Slack webhook in .env.example
    Moltbot: Recommendation: Rotate these credentials immediately.
             Consider using git-filter-repo to remove from history.
    

    Pattern 3: Pre-Commit Enforcement

    Dev: @clawd install-hooks
    Moltbot: βœ… Installed pre-commit hook

    Dev: echo "SECRET_TOKEN=xyz" > config.py Dev: git add config.py Dev: git commit -m "Add config" Moltbot: ❌ Pre-commit hook detected secret! Dev: rm config.py && git reset Dev: (add config to .gitignore and to environment variables instead) Dev: git commit -m "Add config" # Now works!

    Pattern 4: Docker Image Security

    Dev: @clawd scan-docker my-api:v1.2.3
    Moltbot: βœ… Docker image clean
    

    Configuration

    Environment Variables

    These are required for the skill to work:

    | Variable | Value | Where to Set | | :-- | :-- | :-- | | GITGUARDIAN_API_KEY | Your API key from https://dashboard.gitguardian.com | ~/.bashrc or ~/.zshrc | | GITGUARDIAN_ENDPOINT | https://api.gitguardian.com (default, optional) | Usually not needed |

    Optional ggshield Config

    Create ~/.gitguardian/.gitguardian.yml for persistent settings:

    verbose: false
    output-format: json
    exit-code: true
    

    For details: https://docs.gitguardian.com/ggshield-docs/

    Privacy & Security

    What Data is Sent to GitGuardian?

    βœ… ONLY metadata is sent:

  • Hash of the secret pattern (not the actual secret)
  • File path (relative path only)
  • Line number
  • ❌ NEVER sent:

  • Your actual secrets or credentials
  • File contents
  • Private keys
  • Credentials
  • Reference: GitGuardian Enterprise customers can use on-premise scanning with no data sent anywhere.

    How Secrets Are Detected

    ggshield uses:

    1. Entropy-based detection: Identifies high-entropy strings (random tokens) 2. Pattern matching: Looks for known secret formats (AWS key prefixes, etc.) 3. Public CVEs: Cross-references disclosed secrets 4. Machine learning: Trained on leaked secrets database

    Troubleshooting

    "ggshield: command not found"

    ggshield is not installed or not in your PATH.

    Fix:

    pip install ggshield
    which ggshield  # Should return a path
    

    "GITGUARDIAN_API_KEY not found"

    The environment variable is not set.

    Fix:

    export GITGUARDIAN_API_KEY="your-key"
    

    For persistence, add to ~/.bashrc or ~/.zshrc:

    echo 'export GITGUARDIAN_API_KEY="your-key"' >> ~/.bashrc source ~/.bashrc

    "401 Unauthorized"

    API key is invalid or expired.

    Fix:

    # Test the API key
    ggshield auth status

    If invalid, regenerate at https://dashboard.gitguardian.com β†’ API Tokens

    Then: export GITGUARDIAN_API_KEY="new-key"

    "Slow on large repositories"

    Scanning a 50GB monorepo takes time. ggshield is doing a lot of work.

    Workaround:

    # Scan only staged changes (faster):
    @clawd scan-staged

    Or specify a subdirectory:

    @clawd scan-file ./app/config.py

    Advanced Topics

    Ignoring False Positives

    Sometimes ggshield flags a string that's NOT a secret (e.g., a test key):

    # Ignore the last secret found
    ggshield secret ignore --last-found

    Ignore all in a file

    ggshield secret ignore --path ./config-example.py

    This creates .gitguardian/config.json with ignore rules.

    Integrating with CI/CD

    You can add secret scanning to GitHub Actions / GitLab CI:

    # .github/workflows/secret-scan.yml
    name: Secret Scan
    on: [push]
    jobs:
      scan:
        runs-on: ubuntu-latest
        steps:
          - uses: actions/checkout@v3
          - run: pip install ggshield
          - run: ggshield secret scan repo .
            env:
              GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
    

    Enterprise: On-Premise Scanning

    If your company uses GitGuardian Enterprise, you can scan without sending data to the cloud:

    export GITGUARDIAN_ENDPOINT="https://your-instance.gitguardian.com"
    export GITGUARDIAN_API_KEY="your-enterprise-key"
    

    Related Resources

  • ggshield Documentation: https://docs.gitguardian.com/ggshield-docs/
  • GitGuardian Dashboard: https://dashboard.gitguardian.com (view all secrets found)
  • Moltbot Skills: https://docs.molt.bot/tools/clawdhub
  • Secret Management Best Practices: https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
  • Support

  • Bug reports: https://github.com/GitGuardian/ggshield-skill/issues
  • Questions: Open an issue or comment on ClawdHub
  • ggshield issues: https://github.com/GitGuardian/ggshield/issues
  • License

    MIT License - See LICENSE file

    Contributors

  • GitGuardian Team
  • [Your contributions welcome!]

  • Version: 1.0.0 Last updated: January 2026 Maintainer: GitGuardian

    βš™οΈ Configuration

    Environment Variables

    These are required for the skill to work:

    | Variable | Value | Where to Set | | :-- | :-- | :-- | | GITGUARDIAN_API_KEY | Your API key from https://dashboard.gitguardian.com | ~/.bashrc or ~/.zshrc | | GITGUARDIAN_ENDPOINT | https://api.gitguardian.com (default, optional) | Usually not needed |

    Optional ggshield Config

    Create ~/.gitguardian/.gitguardian.yml for persistent settings:

    verbose: false
    output-format: json
    exit-code: true
    

    For details: https://docs.gitguardian.com/ggshield-docs/

    πŸ“‹ Tips & Best Practices

    "ggshield: command not found"

    ggshield is not installed or not in your PATH.

    Fix:

    pip install ggshield
    which ggshield  # Should return a path
    

    "GITGUARDIAN_API_KEY not found"

    The environment variable is not set.

    Fix:

    export GITGUARDIAN_API_KEY="your-key"
    

    For persistence, add to ~/.bashrc or ~/.zshrc:

    echo 'export GITGUARDIAN_API_KEY="your-key"' >> ~/.bashrc source ~/.bashrc

    "401 Unauthorized"

    API key is invalid or expired.

    Fix:

    # Test the API key
    ggshield auth status

    If invalid, regenerate at https://dashboard.gitguardian.com β†’ API Tokens

    Then: export GITGUARDIAN_API_KEY="new-key"

    "Slow on large repositories"

    Scanning a 50GB monorepo takes time. ggshield is doing a lot of work.

    Workaround:

    # Scan only staged changes (faster):
    @clawd scan-staged

    Or specify a subdirectory:

    @clawd scan-file ./app/config.py